I don't think this is possible. From what I have observed, once the client has been challenged with a BASIC/NTLM/Negotiate header it won't accept a redirect to an unprotected page. You can do it the other way around, giving the users a choice to login
with a challenge or a form. This is implemented in the waffle-mixed example (although not with spring).

In addition, the server doesn't always know that the client is going to fail authentication as the client keeps trying to send valid authorization headers and eventually gives up popping up a dialog.

when user enter wrong password, it will go to login.jsp. but that also mean if user enter one time wrong password when ntlm, it will directly go to login.jsp without allowing user to retry rekey in password. has drawback ofcourse.
share this with other people that want similar feature.

If SSO fails and you want to redirect user to unprotected form login page, you need to send "Connection: close" header along with redirect. Client then closes existing connection and opens a new one, that won't use http authentication. I'm using
this in my auth filter (which is combination of waffle/kerberos/jcifs) and it works fine.

If SSO fails and you want to redirect user to unprotected form login page, you need to send "Connection: close" header along with redirect. Client then closes existing connection and opens a new one, that won't use http authentication. I'm using
this in my auth filter (which is combination of waffle/kerberos/jcifs) and it works fine.

Thanks. I created a feature request for reviewing this in the mixed authenticator. The one problem is that authentication may not fail on the server, but on the client. So the server keeps getting
valid tickets and asks the client to continue until the client gives up.